Commit, Validate, and Preview Firewall Configuration Changes

A commit is the process of activating changes that you made to the firewall configuration. The firewall queues commit operations in the order you and other administrators initiate them. If the queue already has the maximum number of commits (which varies by platform), you must wait for the firewall to process a pending commit before initiating a new commit. To cancel pending commits or view details about commits of any status, see
Manage and Monitor Administrative Tasks. To check which changes a commit will activate, you can run a commit preview.

When you initiate a commit, the firewall checks the validity of the changes before activating them. The validation output displays conditions that either block the commit (errors) or that are important to know but that do not block the commit (warnings). For example, validation could indicate an invalid route destination that you need to fix for the commit to succeed. To identify and fix configuration errors before initiating a commit, you can validate changes without committing. A pre-commit validation displays the same errors and warnings as a commit, including reference errors, rule shadowing, and application dependency warnings. Pre-commit validations are useful if your organization allows commits only within certain time windows; you can find and fix errors to avoid failures that could cause you to miss a commit window.

Preview, Validate, or Commit Firewall Configuration Changes

Configure the commit, validation, or preview options.

Click
Commit
at the top of the web interface.
(
Optional
) Exclude certain types of configuration changes. These options are included (enabled) by default.
If dependencies between the configuration changes you included and excluded cause a validation error, perform the commit with all the changes included. For example, if your changes introduce a new Log Forwarding profile (an object) that references a new Syslog server profile (a device setting), the commit must include both the policy and object configuration and the device and network configuration.
Include Device and Network configuration
Include Policy and Object configuration
—This is available only on firewalls for which multiple virtual systems capability is disabled.
Include Shared Object configuration
—This is available only on firewalls with multiple virtual systems.
Include Virtual System configuration
—This is available only on firewalls with multiple virtual systems.
Select All virtual systems
(default) or
Select one or more virtual systems
in the list.
(
Optional
) Enter a
Description
for the commit. A brief summary of what changed in the configuration is useful to other administrators who want to know what changes were made without performing a configuration audit.

(
Optional
) Preview the changes that the commit will activate. This can be useful if, for example, you don’t remember all your changes and you’re not sure you want to activate all of them.
The firewall displays the changes in a new window that shows the running and candidate configurations side by side using colors to highlight the differences line by line.

Click
Preview Changes.
Select the
Lines of Context, which is the number of lines from the compared configuration files to display before and after each highlighted difference. These additional lines help you correlate the preview output to settings in the web interface.
Because the preview results display in a new window, your browser must allow pop-up windows. If the preview window does not open, refer to your browser documentation for the steps to unblock pop-up windows.
Close the preview window when you finish reviewing the changes.

(
Optional
) Validate the changes before you commit to ensure the commit will succeed.

Click
Validate Changes. The results display all the errors and warnings that an actual commit would display.
Resolve any errors that the validation results identify.

Related Documentation

Panorama Commit and Validation Operations

Panorama Commit and Validation Operations When you are ready to activate changes that you made to the candidate configuration on Panorama or to push changes ...

Commit Changes

Commit Changes Click Commit at the top right of the web interface to commit, validate, or preview your changes to the firewall configuration. Committing applies ...

Preview, Validate, or Commit Configuration Changes

Preview, Validate, or Commit Configuration Changes You can preview, validate, and commit changes in the candidate configuration on Panorama or changes that Panorama pushes to ...

Commit Your Changes in Panorama

Commit Your Changes in Panorama Click Commit at the top right of the web interface to commit, validate, or preview your changes to the Panorama ...

Commit Configuration Changes

Commit Configuration Changes Any change in the Palo Alto Networks device configuration is first written to the candidate configuration. The change only takes effect on ...

Manage Configuration Backups

Manage Configuration Backups The running configuration comprises all settings you have committed and that are therefore active, such as policy rules that currently block or ...

Commit Queues

Commit Queues The firewall and Panorama now queue commit operations so that you can initiate a new commit while a previous commit is still in ...

Manage Panorama and Firewall Configuration Backups

Manage Panorama and Firewall Configuration Backups The running configuration on Panorama comprises all the settings that you have committed and that are therefore active. The ...

Compare Changes in Panorama Configurations

Compare Changes in Panorama Configurations To compare configuration changes on Panorama, you can select any two sets of configuration files: the candidate configuration, the running ...

Manage Locks for Restricting Configuration Changes

Manage Locks for Restricting Configuration Changes You can use configuration locks to prevent other administrators from changing the candidate configuration or from committing configuration changes ...